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(54) Over the air locking of user identity modules for mobile teiepiiones 



(57) A mobile telephone network in which user iden- 
tity module (UIM) locking is activated automatically by 
the network via signallingoverthe base station to mobile 
telephone common air inlerlace. The telephone network 
periodically or regularly queries the Internal Mobile 
Equipment IdentHy (IMEI) of the mobile telephone being 
used by subscribers on the system. If the I VIEI of a nfK>- 
bile telephone Is found on a 'stolen list' the network may 
then command the mobile station to activate UIM took- 
ing by messaging to and from the mobile telephone over 
the air interface to activate the UIM kicking function us- 
ing a transmitted bit pattern. 
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Descrlplien 

The present invention relates to a mobile terminal 
for telecommunications, for example a portable tele- 
phone, and to a communications network making use 
of such terminals. More particularly, the present inven- 
tion relates to ponable telephones employing user kien- 
tity modules (UIMs). 

Portable telephone systems are known that contain 
a subscriber or user ktontity feature wherein the tele- 
phone can be manually locked to a user ktonlity fVxxlule 
(UIM). 

European Patent application number 93302420.0, 
publication number EP 0.562,890 At to Green entitled 
'Mobile Communication Network with Remote Updating 
of Subscriber Identity Modules in Mobile Termkials*, 
filed 29 March, 1993 discloses a communfeatkxw net- 
work that has a swttchlng network including a mobile 
switching center which communicates, by radio tele- 
phone, with a mobile telephone. The mobile equipment 
contains a subscriber identity nradule which stores data 
' for controlling the operation of, and the facilities availa- 
ble to the user, of the mobile equipment. The switching 
network transmits updating signals to the mobile equip- 
ment which alter the data stored in the subscriber klen- 
tity module and hence alter the operation on faciities 
available. 

At present, mobile telephones, particularly those 
based on the Groupe Speciale MobOe (GSM) Stand- 
ards, contain an eiectronk: module, previously known as 
a subscriber klentity module or SIM and which is now 
called a user identity module (UIM). The UIM stores data 
to be used by the mobile telephone, also referred to 
herein as a mobile terminal (MT). The UIM is pra-con- 
figured tocontain a unk^e Uentifier for a particular user, 
and may also contain appropriate aulhentnatnn fune- 
twns. The UIM is also able to store temporary data such 
as paging messages and a telephone number directory. 

In current GSM based systems, the subscriber 
identity is not related to the mobile tenninal (MT). This 
is accomplished by the use of the UIM. The UIM is a 
module, or smart card, that installs in the phone and has 
a unique user identity Informatton. 

GSM based systems allow a user to insert his UIM 
card into any mobile terminal and be recognized by the 
GSM network via Inlormatton on the UIM rather than In- 
formatkxi associated with the particular terminal in use. 
In this system the mobile is UenliTiable by an IMEI (In- 
ternational Mobile Equipment Identity); however, que- 
ries to check this informatkm are 'expensive' in terms of 
processing and are not noimally verified on a per call 
basis. 

These factors have been exploited by thieves who 
have developed an extensive "black market' in terminals 
using GSM based interfaces and has resuHed in hun- 
dreds of thousands of mobile terminals being stolen 
each year. 

Known took f uncltons commonly have a four to eight 



digH pin coda and, if activated, the code must be entered 
each thne the nubile temrtinal Is powered up before any 
operatnns can be pertoimed. 

Also, mobile temninais also provkie a UIM kx:k de- 
f signed to prevent the mobile statnn from accepting un- 
authorized UMs without a master password. If activat- 
ed, the mobile statton will only accept previously author- 
ized UIMs. 

According to a first aspect of the present inventran 
10 there is provkted a mobile ccmmunicatnns network 
comprising at least one central base switching networit 
and a plurality of remote mobile terminals containing cir- 
cuits for transmitting and receiving electronic signals, 
each of said remote mobile terminals including a user 
IS Uentify module (UIM) containing personalized userdata 
tor controtling the transmisskxt of signals therefrom, 
wherein sakf central base switching network includes 
means for transmitting data signals to a selected remote 
mobile terminal for seleclively locking saU selected re- 
zo mote mobile terminal to saM included UIM and sakJ in- 
cluded UIM to said selected remote mobile tenninal, 
thereby selectiveiy preventing operatran of saM select- 
ed remote mobile terminal with any other of said UIMs 
and operation of sakt inc luded UIM with any other of said 
25 remote mobile terminale. 

According to a second aspect of the present inven- 
tion there is provkted a method for kxsMng a selected 
lemole mobile tenninal of a mobile communicatfons net- 
work having at least one central base switohing network 
30 and a plurality of remote mobfle terminals containing cir- 
cuits for transmlting and receiving eiectronk: signals, 
each of saM remote mobile terminals including a user 
klentity module (UIM) containing personaized userdata 
lor controlling the Iransmisskm of signals therefrom, 
3S comprising the steps of step 1 . transmitting data signals 
from sakl central base switching networit to a UIM of a 
selected remote mobile terminal and step 2. receiving 
sakl data signals transmitted from sakl central base 
switching ntwork and selectively locking said selected 
40 mobile remote tenninal to sati included UIM, and said 
included UIM to said selected remote mobile terminal, 
thereby preventhg operation of sakl selected remote 
mobile terminal with any other UIMs and operatbn of 
sakl included UIM with any other of sakl remote mobile 
^ terminals. 

Embodiments of the present invention may reduce 
the value of a stolen mobile terminal, once detected, by 
•kKsMng" the mobile terminal to the UIM card in use in 
the mobile teiminal at the time of detection, it any. Lock- 
s' ing the mobile terminal to a specific UIM means that the 
mobile temiinal cannot be used with any other UIM and 
thus diminishes its re-sale value. Additionally, this pro- 
cedure is coupled with infofmatkm collection about the 
UIM being used in the stolen mobile terminal for follow- 
-up by the proper authorities to recover the mobile 
temiinal . 

Exemplary embodiments in accordance with the 
present invention may provkie a moble telephone sys- 
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lem wherein UIM locking and unlocldng is activaled au- 
lomalicHlly by Ihe network via signalling over the BTS 
10 mobile muon comrnon air interlace. 

Exemplary cmtxxliments in accordance with the 
present invention may provide a mobile telephone sys- s 
tern that hIioms lor mo option of locking the UIM to the 
mobile telephone SbCh that the UIM can only be used 
with the spocilic Mssaciaiod mobile telephone. 

ExomptHiy ombodmentB in accordance with the 
present mvcnion mny provide a mobile telephone sys* lo 
tern that Mym ici the option of locking the mobile tele- 
phone to iho UIM such that the fflobile telephone can 
only be used wiir ir^c ssocitic UIM. 

Embqoinnonii oi t)o invention will now be de- 
scribed, by wrtv o> oan'npio wim reference to Ihe ac- 
company«>3(*>i«nn9& <nwnch 

Fig. 1 iS M achorviK tioch dMgram illustrating one 
embodvncni oi m communmiions networlc ol the 
present mvuniui 10 

Fig. 2 sho*n n how chxri si ito network logic, MSC 
OOolFig 1 itf Ihe pioccssngoi messages in ac- 
cordance with .1 method d the present invention; 

25 

Fig. 3 6hoiM» m naw chnn ol Iho mobile terminal log- 
ic.MTlOoiFig 1 lof Ihe processing of messages 
in accordance iir«h m mottwd ol the present inven- 
tion: 

Fig. 4 shows h llow ch«trt of Ihe user interface mod- 
ule logic. UIM 20 ot^ig l.toriheprecesslngof mes- 
sages: 

Figs. 5a and Sb show Ihe stnicture of messages 3S 
which may be usee tn ombodiments in aeeonjance 
. with the invention and 

Fig. 6 shows a )low chan lor initializatkjn logic re- 
quired in the UIM 20 ol Fig. 1 to carry out Ihe UIM- 40 
IMEI locking in an ombodiment of the present inven- 
tton. ' 

Currently, QSM mobile lomiinals are easily reused 
after being stolen simply by msenmg a valid UIM card il 4s 
the legitimate owner lorgot or negkjcied to 'kjck" his mo- 
bile to his UIM. Additionally since rental units would nor- 
mally not locked to a specilic UIM card, these mobile 
terminals are partKutaily vuineiable lo theft Due to 
these facts there is a flourishing market m stolen GSM so 
mobile terminals. In accordance with embodiments of 
Ihe present invention there is shown a mechanism and 
method by which a mobile lorminal which has been de- 
termined to be stolen can be locked to the UIM inserted 
in Ihe unit and thereby be made less valuable inlerms ss 
ol re-sals. 

A mobile terminal (MT) in accordance with Ihe 
present invention is kxked to Ihe UIM by an ovar-lhe- 
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air command. Additionally, embodiments of the present 
invention show a system wherein a UIM inserted in a 
mobile terminal can be locked to the mobile teiminars 
IMEI. thereby making the UIM usable only in the mobile' 
terminal il is kxked to. 

More particularly the telephone network perkxJfcally 
or regularly queries the IMEI of Iho mobile terminal being 
used by subscribers on the system. If the IMEI of a mo- 
bile terminal is found on a "stolen list' the network may 
then command the mobile stalkn to activate UIM lock- 
ing by messagng to and from ths mobile tennlnal over 
the air interface to activate the UIM kKking function us- 
ing a transmitted bit pattern. 

A communkatkms network typically includes a mo- 
bile switching center (MSC) that communicates, such 
as by radio telephony. wRh mobile tenninals (MT) such 
as a mobile letephorie. The mobile terminal contains a 
subscriber, or user identity module that stores data tor 
conUolUng the operation of and the tacilities available to 
Ihe user of ths mc^ile terminal. 

In accordance with an aspect of the present inven- 
tkx>, Ihe switehing network transmits updating signals to 
the mobileterminal that allers Ihe data and security sta- 
tus of the mobile terminal and/or the security status ol 
the user Identity module. 

Referring lo Fig. 1, a communications network is 
Shown inckiding a mobile terminal (MT) 10 such as a 
mobile telephone and a switching netwotit 8 containing 
mobile switching (MSC) center 30, a number of base 
station controllers (BSC) 40 for different call sites in 
which the mobile terminal 10 can operate an equipment 
ktontity register (EIR) 60 is connected lo a common 
equ'pmeni identity register (CEIR) 80 whtoh may be 
connected to other equipment ktentity registers 60-1, 
60-2, 60-N associated with other switching networks 
and their associated mobile terminals. An operation 
sub-system (OSS) 70 may be prcvkled to update the 
equipment identity register 60. Communication over the 
air to and from mobile tenninals such as mobile tenninal 
10 is earned out via a base statkm liansceiver unil (BTS) 
SO. 

Each mobile terminal in the communkatkms net- 
work such as mobile temoinal 10 includes a user Uentity 
nxxAjle (UIM) 20 that stores pre-programmed data 
unique to a panicular user and an international mobile 
equipmem kjentlty unit (IMEI) 15. Each intemalkxnal 
mobile equipment identity 15 is unique to lis mobile ter- 
minal 10 and is used lo identify the mobile terminal 10 
to the mobile swHch'ing center 30. 

tn Fig. 1, normal communicalkm occurs between 
the communKstnns network from the MSC 30 to a nrK>- 
bile telephone or other nwbile temilnal MT 10 via one 
at many base elation controllers BSC 40 over one of its 
associaled base transceiver systems BTS SO. 

The MT 10 contains a user identity module UIM 20 
whteh stores a unk|ue Menllfier of a specific user as well 
as any available aulhenticalion luncUons for that user. 
The MT 10 also contains a unique international mobile 
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equipment identity IME1 15. 

The MSC 30 contains or has communication chan- 
nels to access the home location register HLR 35 lor a 
specific user. The HLR 35 contains a lunctkmal sulxS- 
vision known as the authentication center AuC 36 which 
manages the security data used for the authentication 
ot users. Together, the AuC 36 (unctions ol the HLB 35 
and the corresponding authentication (unctions in the 
DIM 20 provide a relatively secure and robust means to 
validate or authenticate a user and thus prevent various 
types at fraudulent use. 

The MSG 30 has communications channels to ac- 
cess an equipment identity register EIR 60 which is a 
datal>ase whicti contains information regarding the va- 
lidity and status of mobile equipment MT 10 via their in- 
ternational ntobile equipment identitiers IME1 15 Imown 
to the communication networic. The EIR 60 contains 
three lists'. One is the "white list' which includes the 
range ol valid lype-approved mobile equ^ment MT 10. 
Another is the 'black list' which includes the list of IMEI 
1 5 which have been reported as either stolen or having 
severe maKunctions. The third list, 'grey list' is an inter- 
mediate between 'white' and 'black' which includes sus- 
pect units betore authorities confirm black listing. 

The stops ot a process irv accordance with the 
present invention are shown in the blocks of fiq. 2. At 
the start of communications between the MT 10 and the 
MSG 30 various obligatory messaging sequences are 
exchanged which are common knowiadge to one skilled 
in the art. Atter this conventkmal messaging the MSC 
30 is required to obtain the IMEI1 5 o( the IVIT 1 0 as in- 
dicated in Fig. 2 block 300. In conventional systems this 
is accomplished by the transmission of IDENTITY RE- 
QUEST Itflessage to the MT 10. The conventional MT 
10 responds with IDENTITY RESPONSE Message 
which conlainB the IME1 15. One of the features In ac- 
cordance with the present inventton is the optimization 
of this messaging exchange by including the IMEI 15 
informaiion in the conventional obligatory messages 
noted earlier. Specifically in a preferred embodiment of 
this invention the IME1 15 information is packaged in the 
LOCATION UPDATING REQUEST message from the 
MTIO. 

The lormat and structure o( the LOCATION UPDAT- 
ING REQUEST in conventional systems may only cany 
the IMEI i( the MT 1 0 does not contain an UIM 20 or the 
UIM 20 is considered invalk) for some reason. It is the 
subject of an oplimizatton aspect of this vwention lo al- 
ways include the IMEI in the LOCATION UPDATING 
REQUEST whether or not a TMSI or IMSI is also includ- 
ed in this message. Inthose cases where a TMSI or IMSI 
is also included in the LOCATION UPDATING RE- 
QUEST, the message shall contain two MOBILE IDEN- 
TITY Informatton element one for TMSI or IMSI and one 
for IMEI. In those cases where the LOCATION UPDAT- 
ING REQUEST contains only the IMEI the message 
shall be identteal to the conventionat LOCATION UP- 
DATING REQUEST used in toda/s systems. 



Regardless of how the IMEI 15is obtained, via MSC 
30 explKit IDENTITY REQUEST sequence or automat- 
kally via a preferred enhancement of the LOCATION 
UPDATING REQUEST or other conventkjnal obligatory 
s message, the MSC 30 queries the EIR 60 at bkx:k 305 
of Fig. 2 to determine the status of the IME1 15 reported 
from the MT 10. If the EIR 60 indicates that the IME1 15 
is included in the "black list' as a stolen mobile or as a 
unit with severe malfunction at block 310 control (lows 
» to bkKk 311 where the MSC 30 determines if the MT- 
UIM Locking function is enabled. If the EIR 60 query in- 
dicaled that the niobile terminal was not stolen or 'black 
Usted* in block 310, control branches to bkxk 335 and 
the process is finished. 
IS The MT-UIM Locking functton will normally be ena- 
bled, but may be disabled for a particular MSC 30 if its 
operator so desires. If the functton is enabled In titock 
311 branching at btock 311 passes to block 315. 1( MT- 
UIM Locking function is disabled branching at block 311 
20 passes to block 320. 

When control is passed to block 315 the MSC 30 
constructs a SECURITY REQUEST MESSAGE indtoat- 
Ingan MT-UIH^ LOCK command (Fig. 5a) and transmits 
this message via the BSC 40 and BTS 50 units in com- 
as munication with the MT 10 illustrated in Fig. 1. In a pre- 
ferred embodiment of the invention aH SECURITY RE- 
QUEST messages are transmitted Inclphered mode. 

The SECURITY REQUEST MESSAGE indteaUng 
MT-UIM LOCK command contains a RAND and SRES 
30 pair provided via the AuC 36 function of the HLR 35 as- 
sociated with the user UIM 20 in order lo provide the MT 
10 with a means lo ensure that the command is valid 
and not the result ol unauthorized mischief or 'hacking'. 
Control flow from block 315 continues to btock 316. In 
95 bkick 316 the MSC 30 is expecting a response from the 
MTIO. 

Fig. 3 outlines a mobile equipment togic MT 10 as- 
sociated with an aspect of the inventkjn. When a mes- 
sage is received from the MSC 20. the MT 10 must de- 

40 termine if the message received represents a command 
to activate one of the newfy defined LOCKs step 100. 
First check preferred is ktontified in step 105 as the 
check to see if the message is a SECURITY REQUEST 
MESSAGE INDICATING MT-UIM kjck. II the message 

4S contains such a command, control flow branches (orm 
105 to step 120. It the message Is not a MT-UIM LOCK, 
control now branches from step 105 to step 110. 

Mobile equipment MT 1 0 processing (rom steps 1 10 
onwards will be discussed foHowing the MSC 30 logic 

so associated with UIM-IMEI kxking step 325 of Fig. 2. 

In step 120 of Fig. 3 the MT 1 0 must verify that the 
message received is authorized. This is done by uliizing 
convenlkxial authentication procedures in the UIM 20 
conrt>ined with new procedures in the MT 1 0 to execute 

ss the function. As noted in Fig. 5a, the MT-UIM LOCK 
message contains the RAND from the AuC 36, which is 
well known to one skilled in the art. In order to harden 
this procedure, the prefened embodiment of this inven- 
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lion will place adcfitional requiramanl on the RAND to 
protect against hacking. These requirements should be 
well consktored and specific to a particular implemerv 
tation. The preferred method of hardening recommend- 
ed is lo have the MT 1 0conslntct an AUTHENTICATION 
REQUEST with a randomly chosen RAND and transmit 
this request to the MSC 30. The MSG 30 vrauM then 
send the RAND received from the MT 10 to the appro- 
pnate HLR 35 AuC 36 function and receive the correct 
5RES response. The MSG 30 would then conslnjct an 
AUTHENTICATION RESPONSE message containing 
said SRES and transmittolheMT 10. TheMT lOwouW 
Ihon compare the SRES received in the AUTHENTICA- 
TION RESPONSE from the MSG 30 to an SRES that 
UIM 20 calculated using the RAND originally sent to the 
MSG 30 n the AUTHENTICATION REQUEST mes- 
sage II these two SRES values match, the SECURITY 
REQUEST is considered authentic. This method re- 
quires the MSC 30 and AuC 36 modified to suppon the 
messaging exchanges noted which are readily under- 
stood by one skilled in the art. Anbther example, of hard- 
ening considered couM be to maintain a list of sufficient 
length oi previously received RAND and checking the 
RAND received in the message against this list. 11 the 
RAND is lound in Iho list maintained, and one considers 
the probability of such a match unlikely the message 
may be discarded and control flow branches lo slap 1 31 . 
This type ol procedure may be combined with other pro- 
cedures such as monitoring the frequency that various 
messages containing RAND are received; however, 
specifically identifying any method of additional harden- 
ing would only serve to provide 'hackers' with informa- 
tion which thsy should be denied. If the RAND passes 
the recommended hardening techniques chosen (or the 
partteular MT 10 implementation, the MT 10 proceeds 
with aulheniieation process. The RAND is sent to the 
UIM 20 via conventional means and the UIM 20 returns 
an SRES value calculated in the convenlional fashion 
by UIM 20 authentcation k>gic. In step 130 the MT 10 
than compares the SRES received in the MT-UIM LOCK 
messages from MSG 30 lo the SRES calculated by the 
UIM 20. II the two SRES values are kientical, MT-UIM 
LOCK command is considered authentic and authorized 
and control (low branches from step 1 30 to step 140. If 
authentication tails in step 1 30, control (low branches to 
step 131. 

In step 140 the MT 10 executes internal UIM locking 
procedures that modily the MT 10 processing lo only 
accept the UIM 20 card that is currently installed in the 
MT 10 UIM tocking procedures are unk^ue to the hard- 
ware and software design ot the MT 10 in questnn are 
must be ctosely guarded to ensure the security of this 
(unctkjn against 'hacking' or other fraud. UIM kwking 
procedures lor a specific MT 10 design are well known 
to those skilled in the art and appl'icalion to a specific 
MT 10 design but never disclosed due to the security 
risk o( such disctosure. Control (tows from step 140 to 
step 141 where the MT 10 dalenn-vies it the MT-UIM 



LOCKING procedure was successful, if so control flow 
branches to step 142 and if not to step 131. 

In step 142lhe MT 10 has veriTiedlhal ishas kKked 
to the UIM 20 in questton and therefore constnjcts a SE- 
s CURITY RESPONSE (Rg. 5b) indicating the MT-UIM 
LOCK was successful. This message is transmitted to 
the MSC 30. Control (low falls to step 1 50 and the proc- 
ess is fmishad. 

Step 131 constnjds a SECURITY RESPONSE in- 
to dicaling the MT-UIM lock operation failed and the failure 
reason. This message is then transmitted to the MSC 
30 and indicates the failure reason as either authentka- 
tion failure or other processing failure. Control flow then 
(alls to step 150 and the process is finished. 
>5 Having explored the control flow of MT 10, refer- 
ence is now made to Fig. 2 step 316 and where the dis- 
cussion regarding the MSC 30 control flow was left, The 
MSC 30, having received a response or timing out on a 
response from MT 10 has its coritiol (tows from step 31 6 
20 to step 317 where the MSC 30 stored the inlotmatton 
regarding the results ol the MT-UIM LOCK operatton 
(rom the MT 10 for future referencci by step 330. Then 
control ftows Irom step 317 to step 320. 

In btock 320 the MSC 30 delermines whether UIM- 
IMEI Locking function is enabled. The conditions lor de- 
temnining il this (unctkm is enable will vary greatly do- 



cttier factors therelore, a 'normar mode of apeiatK>n is 
not expected for this functkx), it is completely at operator 
90 preterence; however, if the tunclton is enabled control 
(towbranches (mm btock 320to btock 325. Kthelunction 
is disabled controlftowbranches (rom btock 320 tobtock 
330. 

In block 325. the MSG 30 constructs a SECURITY 
3S REQUEST indteating a UIM-IMEI LOCK command and 
transmits this message to the MT 10. Uke the MT-UIM 
LOCK command, the UIM-IMEI LOCK command con- 
tains a RAND and SRES pair (rom the AuC 36 (unctbn 
associated with the UIM 20 as a means to authentk»te 
40 the operation. Control fksw (rom block 325 proceeds to 

The MSC 30 control flows from step 325 to step 326 
where the MSC 30 eltectivaly waits (or a response or 
wi« timeout waiting on a response lor MT 10, thus will 

« now focus on the MT 1 0 processing noted in Fig. 3. 

As noted prevkjusly. when the MT 10 receives a 
massage from MSC 30. the control ftows through step 
100 lo 105. II in step 105 the message received did not 
indteate an MT-UIM kxdt command control ftows (rom 

so step 105 to step 110. 

Step 110 test the contents ot the received message 
to deteimine it it contains a UIM-IMEI LOCK command. 
It so, control branches from step 110 to step 125. If not, 
control (tow branches bom step 110 to step 115. 

ss step 1 1 5 represents the processing ot other com- 
mands received (rom MSC 30 which are not of interest 
and therelore we can conskler processing in this em- 
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Step 125 is responsible for ensuring the authenticity 
of the received UIM-IMEI LOCKcomnrand. As indicated 
in Fig, 5a. the SECURITY REC3UEST indicating UIM- 
IMEI LCX:k command contains the RAND and SRES 
calculated lor the UIM 20 in question by the AuC 36 as- 
sociated with this UIM 20. As noted in the discussion of 
Fig. 3, step 120, preferred embodiments will have addi- 
tional hardening requirements placed on Ihe RAND by 
the MT 10. These hardening requirement may be inten- 
tionally ditlereni from those chosen In step 120 or iden- 
tical depending on bnplemenlors decision. II the hard- 
ened RAND requirements do not pass the MT 10 de- 
clares Ihe cortmtand invalid in step 135 and branches 
10 step 136. Othenvise the UIM-IMEI LOCK command 
is transferred Irom the 1^ 10 to the UIM 20 complete 
with both the RM4D and the SRES contained in the mes- 
sage received from the MSC 30 lor further processing. 
Control flow then proceeds from step 135 to step 145. 

In step 1 45 the MT 10 transmits the Uf M-tMEl LOCK 
- message lo the UIM 20 and wails for the results ol the 
operation or timeout. 

Fig. 4 indicates the control llow within the UIM 20 
lor the processing of the UIM-IMEI LOCK comnfand. 
The process is inAiated by Ihe receipt of the UIM-IMEI 
LOCK command Irom the MT 1 0 step 145 which results 
in step 200 of Fig. 4 UIM 20. Control flows from step 200 
10 step 205 where the UIM extracts the RANO contained 
in the UIM-IMEI LOCK message and calculates SRES 
in the conventional lashion. Once the UIM 20 has cal- 
culated SRES in step 205 control flows into step 210 
where the UIM 20 calculated SRES is compared to the 
SRES contained in the UIM-IMEI LOCK message Irom 
MSC 30. II the two SRES values are identical, control 
branches from step 210 to step 215. If Ihe two SRES 
values are not Identical, control branches Irom slep 210 
lo step 230. 

In step 215 the UIM 20 request the IME1 15 liom Ihe 
MT 10. The IME1 15 value Is stored in the UIM 20 for 
luture reference in every initialization cycle, etc. Control 
flows from step 21 5 step 220 where success of step 215 
is tested. II the operation completed successfully, con- 
trol flows from step 220 to step 225. If not, control 
branches Irom slep 220 to step 230. 

Step 225 stores the lad that the UIM is now suc- 
cesslully locked to a specific IME1 1 5 by storing an indi- 
cator of this fact on Ihe UIM 20. Additionally, the UIM 20 
indicates to the MT 10 that the ulM-iMEl LOCK com- 
mand has been successfully executed. Control flows 
Irom step 225 to step 235 and the process is finished. 

Step 230 sends an indication to the MT 10 that the 
UIM-IMEI LOCK operation in step 145 (or timeout) and 
proceeds to slep 146 where if the operation was suc- 
cessful, MT 10 control branches from slep 146 to step 
147. If not, control branches from step 146 to step 136. 

In step 147 the MT 10 constniets a SECURITY RE- 
SPONSE indicating the UIM-IMEI LOCK was success- 
lul and transmits this message to the MSC 30. Control 
in the MT 10 then flows from step 147 to step ISO and 



the MT 10 process is complete. 

In step 135 the MT lOconstniCis a SECURITY RE- 
SPONSE indicating UIM^MEI LOCK lailure and trans- 
mits this message to MSC 30. Control in MT 10 then 
s flows from step 136 to st^ 150 and the MT 10 process 
is complete. 

In slep 136 the MT 10 constructs a SECURITY RE- 
SPONSE indicating UIM-IMEI LOCK lailure and Irans- 
mits this message to MSC 30. Control in MT 10 then 
10 nowsfromstep136tostep150andlheMT10pfocess 
is complete. 

Referring now to Fig. 2, control flow from step 326 
proceeds lo slep 327 as the MSC 30 has received a re- 
sponse from the MT 10. In step 327 MSC 30 stores the 

»s results reported from the MT 10 for reference in step 
330. The control then flows from step 327 to step 330. 

Bloek 330 handles the processing of administrative 
reports. In a preferred embodiment, these reports will 
contain the IMEI l5of the MT 10 in question, the status 

20 associated with the IME1 15 Irom the EiR 60. information 
regarding tte user associated with the UIM 20 contained 
in the MT 10 and the action take by the MSC 30 which, 
depending on the branches taken, maf include: Report 
Only, MTA-UIM LOCK (success/lailure/not attempted), 

2S UIM-IMEI LOCK (success/la»ure/not attempted) as well 
as the results of MT 10 locking operations if appHcable. 
These reports wouM eventually tonwaided to the proper 
authorities for possibte criminal investigations, etc. 
In step 60S Ihe UIM 20 request the IME1 15 of the 

90 current MT 10. Control flows from step605 to610 where 
the success of the IMEI queiy operatbn ol step 605 is 
checked. 11 the IME1 15 of Ihe current MT 10 is received, 
control branches from step 61 0 to step 61 5. If not, con- 
trol branches from step 60S to step 625. 

3S Step 615 compares the IME1 15 received from Ihe 
current MT 10 to the IME1 15 stored on the UIM 20 in 
step 215 of Fig. 4. If the two IMEI values are identical, 
control ftow branches Irom step 620 to step 699 where 
convenltonal processing continues and the process is 

40 linished with respect to the current inventton. If the two 
IMEI values are not identkal, control branches (lom step 
620 to step 625. 

In step 625 the UIM 20 indicates that the inlUaliza- 
tksn process is halted to the MT 10 because the UIM 20 
is currently tocked to an IMEI 15 that is dillerent Irom 
the IME1 15 received Irom the cun'ent 1^ io. Control 
than flows from step 625 to step 630 and the process Is 
rnished. 

Fig. 5a is a preferred embodiment of the MSC 30 to 
50 MT 10 SECURITY REQUEST message. The message 
is new; however, several components ol the message 
are conventionaVy used in the existing system. The new 
informatton elements are SECURITY REQUEST MES- 
SAGE TYPE which is an eight bit value which will 
ss unquely ktonlify this message type within the MOBILI- 
TY MANAGEMENT set of messages. This value is as- 
signed by standardizatton bodies any value is accepta- 
ble as long as it is unk^ue in the SECURITY MESSAGE 
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range of Mobility management message types. The next 
new information alament is TYPE OF SECURITY RE- 
QUEST. The preferred length ol this information ele- 
ment is eight b'rts. One Irit is reserved. One bi is used 
to indicate the lock stats requested where 0 signifies 
'UNLOCK' and 1 signifies 'LOCK'. One bH Iq indicate 
MT-um lock and one bit to indicate the UIM-IMEI kx:k. 
The rest resen/ed The l\AT-UIMand UIM-IIVIEI bits could 
be used as a bit mask such that the MSG 30 couU in- 
struct the MT 10 to lock action or untock both k»ks via 
one message; however, the preferred embodiment is 
only one lock per message for simplicity. Numerous oth- 
er formats and structures could be employed to realize 
this embodiment of the Invention. 

Fig. Sb is a preferred embodiment of the MT 10 to 
MSG 30 SECURITY RESPONSE. As noted in Fig. 5a 
several of the information elements are conventional. 
The SECURITY RESPONSE MESSAGE TYPE Is an 
eight bit value which will unk^uely Mentify this message 
type within the MOBILITY MANAGEMENT set of mes- 
sages. This value is assigned by i 
any value is acceptable as long as it Is unique in the 
SECURITY MESSAGE range of Mobility management 
message types. The TYPE OF SECURITY REQUEST 
is as described In Fig. 5a. For simplicity, the preferred 
embodiment is only one lock action per message; how- 
ever, If there were more than one kxk Uentifier set In 
the SECURITY RESPONSE message, there wouM be 
multiple RESULT CODE information elements, one tor 
each kick identified set (i.e. value 1). The RESULT 
CODE would map such that the first RESULT CODE IE! 
corresponds to the k>ck identified in the least significant 
bit of the locking bit map, etc. Value of "0* indicates that 
the operatton was successful. The RESULT CODE val- 
ue of '1 ' indicates failure because SRES calculated by 
UIM 20 did not match the SRES in the SECURITY RE- 
QUEST The binary result code of '10* indicates the op- 
I eratnn failed due to a time out failure of the preferred 
hardening technkjue of sending the authentnation re- 
quest message to the MSG 30. The binary result code 
of '11' indk»tas the SRES of the authentteatkm re- 
sponse from MSG 30 was incorrect Allothervalues rep- 
resent vartous types of failures whose meaning is only 
known to the manufacturer of the MT 10 involved. Nu- 
merous other formats and structures coutd be empk>yed 
to realize this embodiment of the invention. 

Fig. 6 illustrates UIM 20 hsgte whteh must be Insert- 
ed before conventnnai logk; in order to realize the UIM- 
IMEI LOCK inventkMi. In slep 600. as soon as possible 
in the conventnnai processing of the UIM 20 and before 
UIM 20 initialization is complete, the UIM 20 checks its 
control sinjctures to determine il the UIM 20 is currently 
locked to a specific IME1 15 associated with a specific 
MT 1 0. If so, control branches from step 600 to step 605. 
If not, control flow branches from step 600 to step 699 
where conventkmal processing continues and the proc- 
ess is finished with respect to this embodiment ol the 



Note that a similar figure for mobile equipment MT 
10 initializatbn processing couU be provWed; however, 
since MT 10 to UIM 20 kMking currently exist via dWfer- 
enl actlyatkxi methods this information is weU known to 
5 those skilled in the an and is not described herein. 

Embodiments in accordance w'lth the present inven- 
tion ideally support the unkwking of both the MT-UIM 
and UIM-IMEI functions via messages. To one skilled in 
the an. the format ol the SECURITY REQUEST mes- 
fo sage supports this via the 'UNLOCK* bit discussed in 
Fig. Sa The togic and control f tows for the untock oper- 
atkMis are obvtous when conskfering Figs. Sand 4. The 
togical unlock opetalkm for MSG 30 is much the same 
as the k>ck operations except the triggers in Fig. 2, step 
>£ 310 may be the 'while listing' of a previously 'black listed' 
MT 10 or manual interaclcn via an operator's technician 
and various MSG 30 interfaces to force the transmission 
of the appropriate unkxk comn>and(s). A preferred em- 
bodiment supports both the 'batch' type process of 
so 'black listed' transition to 'white listed' and manual inter- 
tion. 

While embodiments of the invention have been dis- 
ctosed in detail, il ehoukJ be understood by those skilled 
in the art that various other modifications may be made 
ss to the illustrated embodiments without departing from 
the scope of the invention as described in the spscifica- 



A mobile communications network cwnprising at 
least one central base switching network and a plu- 
rality of remote mobile tenninals oonfahing circuits 
lor transmitting and receiving eledronic signals, 
each of said remote mobile terminals includinga us- 
er ktontity module (UIM) containing personalized 
user data for controlling the transmission of signals 



wherein said central base switching network 
includes means lor transmitting data signals toa se- 
lected remote mobile terminal for selectiveiy locking 
sakj selected remote mobile terminal to sah) includ- 
ed UIM and eaM Included UIM to saki selected re- 
mote mobile terminal, thereby selectively prevent- 
ing operatton of said selected remote mobile temni- 
nal with any other of sakl UIMs and operatton o) sato 
included UIM with any other of eaid remote mobye 
tenninals. 

A mobile communKaiions network according to 
claim 1 wrtierein said central base switching network 
includes means lortransmitting data signals toa se- 
lected remote mobile terminal for locking saki se- 
lected remote temriinal to said included UIM, there- 
by preventing operatton of said selected remote 
mobile terminal wfth any other of said UIMs. 
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3. A mobile communications network according to 
claim 1 or claim 2 wherein said central t»se switch- 
ing network Includes means for Iransmiiting data 
signals to a setecled remote mobile lemilnal for 
locking said included UIM to said selected remote 
lemninal thereby preventing operation of said in- 
cluded UIM with any other of said remote mobile 



4. A mobile communications networli according to 
claim 1 . claim 2 or claim 3 wherein each Ul M in each 
of said remote mobile temiinals includes a storage 
means (or storing said personalized user data. 

5. A mobile communications networic according to 
clam 1 wherein each UIM in each of said remote 
mobile terminals includes means responsive to said 
data signals transmitted trom said central base 
switching network lor preventing operation of said 
lemote mobile temiinal with any other UIM when 
said transmitted data signal data is the same as said 
personalised user data stored in said UIM of said 
remote mobile tenninal. 

6. A nriobilo communications network according toany 
preceding claim wherein said remote mobile termi- 
nals are cellular telephones. 

7. A mobile communications network aceofdingtoany 
preiceding claim wherein each of said remote mo- so 
bile temninals include a unique international mobile 
equipment idenlity(IMEI). 

8. AmobilecomrnunKatkxisneiworkaceoidingloany 
preceding claim wherein said central base switch- 35 
ing network includes a mobile swHching network in- 
cludes a mobile switching center (MSC) connected 

to at least one base station control (BSC) and at 
leaM one base transceiver system (BTS) tor trans- 



ized user data (or controlling the transmission o( sig- 
nals therefrom, comprising the steps of : 

etep 1 . transmitting data signals from said cen- 
tral base switching network to a UIM of a 
selected remote mobile terminal 

step Z receiving said data signals transmitted 
from sakl central base switching network 
and selectively kicking said selected mo- 
bile remote terminal to saki included Ul M. 
and said inckjded UIM to said selected re- 
mote mobile lemiinal, thereby preventing 
operatnn of saM selected remote mobile 
tenninal with any other UIMs and openi- 



oJ sakj remote mobile terminals. 

11. A method for kicking a selected remote mobile ter- 
minal of a mobile oammunkatkxis network accord- 
ing to claim 10 wherein h said included UIM is 
hxked to a sakl specif k remote mobile terminal. 

12. A method for locking a selected remote mobile ter- 
minal o( a mobile communications network accord- 
ing to claim 10 or claim 11 wherein in step 2 said 
specific remole mobile terminal is locked to said in- 



mobile terminal. 



claim 8 wherein sakf mobile switchbig center (MSC) 
includes a home location register (HLR) having an « 
auihentlcatkm center (AUC), and wherein sak) mo- 
bile switching center (MSC) is connected to an 
equipment Mentily register (EIR) containing data re- 
garding the valklity and status ol said mobile termi- 



10. A method lor locking a selected remole mobile ter- 
minal of a mobile communications network having 
at least one central base switching network and a 
plurality of remote mobile temnlnale containing cir- 
cuits for transmitting and receiving electronic sig- 
nals, each of saw remote mobile terminals including 
a user MentHy module (Ulk^ containing personal- 



is. A method for locking a selected remote mobile ter- 
minal of a mobile communkiations network accord- 
ing to claim 10 or claim 11 step 2 includes connpar- 
Ing saM personalized user data in said UIM to sati 
recaivad data signal from saU central base switch- 
ing network, and tocking sakl UIM and preventing 
operation of sakf selected remote module when 
sakl received data is the same as said personalized 
user data. 

14. A method for kicking a selected renrote terminal of 
a mobile communrcatkxis network according to 
claim 13 that further includes authentication proce- 
dures contained in said UIM. and wherein step 2 
further inchJdes comparing the results of saU au- 
thentteation procedures. 

15. A method lor a selected remote mobile terminal of 

a mobile communicalions network according to any ' 
preceding claim wherein said step 1 includes the 
steps o( oblaNng the international mobile equip- 
ment kJenlily (IMEI) of said selected mobile temni- 
nal, quering an equipment identity register (EIR) on 
the status o( the international mobile equipment 
identity to determine if the selected remote mobile 
temiinal is stolen, and transmuting a user kientity 
module kx:k command to sakJ selected remote nio- 
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16. A method for locking a selected remote mobile ter- 
minal of a'mobile communications network accord- 
ing to daim 10 wherein said step 2 includes deter- 
mining if a received comrnand transmitled from said 
central base switching network b a kx;k command, 
verifying the authenticity of said took command, and 
executing a mobile terminal to user identity module 



17. A method for locking a selected remote mobile ter- 
minal of a mobile communicatnns network accord- 
ing to claim 1 6 wherein step 2 further includes send- 
ing an acknowledgment from saU saleoted remote 
mobile tenmlnal to saU central base switching net- 
work that said selected remote mobile temiinal has 
been locked. 
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